[Webkit-unassigned] [Bug 116511] New: Fix two assertion failures in Range::insertNode

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 20 19:50:04 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=116511

           Summary: Fix two assertion failures in Range::insertNode
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Keywords: BlinkMergeCandidate
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rniwa at webkit.org
                CC: darin at apple.com, ap at webkit.org, tkent at chromium.org


We should probably merge https://chromium.googlesource.com/chromium/blink/+/519217f5819e51a195a79abff822474ec66d157d

> ASSERTION FAILED: childBefore == (offset ? container->childNode(offset - 1) : 0)
> third_party/WebKit/Source/WebCore/dom/RangeBoundaryPoint.h(115) : void WebCore::RangeBoundaryPoint::set(PassRefPtr<WebCore::Node>, int, WebCore::Node *)

> ASSERTION FAILED: child->parentNode()
> ../../third_party/WebKit/Source/core/dom/RangeBoundaryPoint.h(133) : void WebCore::RangeBoundaryPoint::setToBeforeChild(WebCore::Node *)
>  1   0x87594b2 WebCore::RangeBoundaryPoint::setToBeforeChild(WebCore::Node*)
>  2   0x87534a9 WebCore::Range::insertNode(WTF::PassRefPtr<WebCore::Node>, int&)

Range::insertNode calls Node::insertBefore, in which an event handler can update
the DOM structure so that RangeBoundaryPoint don't like.  We postpone event
dispatching by EventQueueScope.

Also, remove old comments about Acid3. The behavior is standardized.

We need to update fast/dom/insertBefore-refChild-crash.html because the test
caused recursive calls to the event handler. container.innerHTML='' did nothing
before this CL. Now container has the newChild because DOMNodeRemoved
event dispatching is delayed until Range::insertNode completion.

We need to update fast/text/split-text-crash.xhtml so that it doesn't stop when
the event handler is called twice. I'm not sure why the test worked before this CL.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list